8.4 Protecting Your Data
There is a strong overlap between the
physical security of your computer systems and the privacy and
integrity of your data. After all, if somebody steals your computer,
they probably have your data. Unfortunately, there are many attacks
on your data that can circumvent the physical measures mentioned in
earlier sections.
This section explores several different types of attacks on data and
discusses approaches for protecting against these attacks. It
recapitulates some advice given elsewhere in the book in the context
of physical security.
8.4.1 Eavesdropping
Electronic
eavesdropping
is perhaps the most sinister type of data piracy. Even with modest
equipment, an eavesdropper can make a complete transcript of a
victim's actions—every keystroke and every
piece of information viewed on a screen or sent to a printer. The
victim, meanwhile, usually knows nothing of the
attacker's presence and blithely goes about his
work, revealing not only sensitive information but also the passwords
and procedures necessary for obtaining even more information.
In many cases, you cannot possibly know if you're
being monitored. Sometimes you will learn of an
eavesdropper's presence when the attacker attempts
to make use of the information obtained. Often, you cannot prevent
significant damage at that point. With care and vigilance, however,
you can significantly decrease the risk of being monitored.
Encryption provides
significant protection against eavesdropping. Thus, in many cases, it
makes sense to assume that your communications are being monitored
and to encrypt all communications as a matter of course.
8.4.1.1 Wiretapping
By
their very nature, electrical wires are prime candidates for
eavesdropping (hence the name wiretapping). An
attacker can follow an entire conversation over a pair of wires with
a simple splice—sometimes without even touching the wires
physically: a simple induction loop coiled around a terminal wire is
enough to pick up most voice and RS-232 communications. Similar
measures are effective for monitoring local area networks.
Reportedly, national-level intelligence agencies have been able to
wiretap underwater optical cables by analyzing the electrical
emissions from amplifiers and repeaters.
Here are some guidelines to prevent wiretapping:
Routinely inspect all wires that carry data (especially terminal
wires and telephone lines used for modems) for physical damage.
Protect your wires from monitoring by using shielded cable. Armored
cable provides additional protection.
If you are very security conscious, place your cables in a steel
conduit. In high-security applications, the conduit can be
pressurized with gas; gas pressure
monitors can be used to trip an alarm
system in the event of tampering. However, these approaches are
expensive to install and maintain.
8.4.1.2 Eavesdropping over local area networks (Ethernet and twisted pairs)
Local area networks that are based on
Ethernet or on a twisted pair are susceptible to eavesdropping;
simply plugging a packet monitor into an unused network connection
can often allow an attacker to intercept the entire contents of the
local area network traffic. For this reason, unused offices should
not have live Ethernet or twisted-pair ports
inside them; disable these ports at your wiring closet.
Many organizations have used Ethernet switches to increase the
capacity of their networks. A switch does not rebroadcast all traffic
to all ports as if they were on a shared Ethernet; instead, it
determines the hardware address of each machine on each line, and
sends a computer only the packets that it should receive. Switches
can significantly improve the security of these networks by
minimizing the potential for eavesdropping. Nevertheless, you should
not rely on switches for your security: a sufficiently skilled
attacker can even monitor a switched LAN.
You may wish to periodically scan all of the Internet numbers that have been
allocated to your subnet to make sure that no unauthorized Internet
hosts are operating on your network. You can also run LAN monitoring
software and have alarms sound each time a packet is detected with a
previously unknown Ethernet address.
|
The freely available Unix program
arpwatch will monitor your local area network
for new Ethernet cards and alert you when they are detected;
arpwatch also reports when an Ethernet MAC
address starts using a different IP address. On the other hand,
arpwatch can't detect a
passively tapped connection using a cable with its transmit leads
cut.
|
|
Some Ethernet hubs and switches can be set to monitor the IP numbers
of incoming packets.
If a packet comes in from a computer connected to the hub that
doesn't match what the hub has been told is correct,
it can raise an alarm or shut down the link. This capability helps
prevent various forms of Ethernet spoofing. Some hubs can also be
configured with MAC address
filtering or
lock-down,
so that if an unauthorized MAC address is used on a port, that port
will be automatically disabled.
8.4.1.3 Eavesdropping on 802.11 wireless LANs
In recent years, high-speed wireless LANs have become increasingly
popular at many universities and corporations. Presently, these
systems are not secure. Even when the so-called WEP encryption system
is in use, it is possible for an attacker to masquerade as an
authorized user and gain access to the wireless LAN. The information
moving through the air can also be trivially eavesdropped. Although
some of the WEP security issues are being addressed, wireless LANs
should not be used in security-conscious environments. If a wireless
LAN must be used in your environment, locate the Wireless Access
Point outside your organization's firewall (or
between two firewalls) and require your users to employ a second
layer of encryption, such as a VPN or SSL.
8.4.1.4 Eavesdropping by radio and using TEMPEST
Every piece of electrical equipment emits
radiation in the form of radio waves. Using specialized equipment, it
is possible to analyze the emitted radiation generated by computer
equipment and determine the calculations that caused the radiation to
be emitted in the first place.
Radio eavesdropping is a special kind of tapping that security
agencies (in the U.S. these agencies include the FBI, CIA, and NSA)
are particularly concerned about. In the 1980s, a certification
system called TEMPEST was developed in the U.S. to rate the
susceptibility of computer equipment to such monitoring. Computers
that are TEMPEST-certified are generally substantially less
susceptible to radio monitoring than computers that are not, but they
are usually more expensive and larger because of the extra shielding.
As an alternative to certifying individual computers, you can
TEMPEST-certify rooms or entire buildings. Several office buildings
constructed in Maryland and northern Virginia are encased in a
conductive skin that dampens radio emissions coming from within. As
the majority of RF emissions that can be analyzed result from video
monitors, it is possible to minimize these emissions by using
specially designed screen fonts. Professor Ross Anderson at the
University of Cambridge (http://www.cl.cam.ac.uk/users/rja14/) has
developed such a set of fonts that he calls Soft Tempest; the fonts
can be downloaded from http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip.
Although TEMPEST is not a concern for most computer users, the
possibility of electronic eavesdropping by radio should not be
discounted. Performing such eavesdropping is much easier than you
might expect. It is possible to find plans published on the Internet
that will allow you to build low-cost eavesdropping devices that work
against common PCs.
8.4.1.5 Fiber optic cable
A good
type of physical protection is to use fiber optic media for a
network. It is more difficult to tap into a fiber optic cable than it
is an insulated coaxial cable. Successful taps often require cutting
the fiber optic cable first, thus giving a clear indication that
something is amiss (although an optical
" vampire" tap exists that
can tap a fiber optic network simply by clamping down on the cable).
Fiber optic cabling is also less susceptible to signal interference
and grounding. However, fiber is sometimes easier to break or damage,
and more difficult to repair than copper cables.
8.4.1.6 Keyboard monitors
Several
companies sell small keyboard monitors that can be physically
connected between a keyboard and a computer. These monitors capture
every keystroke as it is typed. They are impossible to detect with
software. To dump the contents of the memory, the eavesdropper must
have physical access to the computer and type a password on the
keyboard. The keyboard monitor then displays a menu that allows the
operator to dump or clear its memory. A typical device costs $50 and
has 128 KBs of memory; slightly costlier versions may have 2 MBs of
memory or more.
8.4.2 Protecting Backups
Backups should be a prerequisite of any
computer operation—secure or otherwise—but the
information stored on backup tapes is extremely vulnerable. When the
information is stored on a computer, the operating
system's mechanisms of checks and protections
prevent unauthorized people from viewing the data (and can possibly
log failed attempts). After information is written onto a backup
tape, anybody who has physical possession of the tape can read its
contents.
For this reason, protect your backups at least as well as you
normally protect your computers themselves.
Here are some guidelines for protecting your backups:
Don't leave backups unattended in a computer room
that is generally accessible. Somebody could take a backup and then
have access to all of the files on your system.
Don't entrust backups to a messenger who is not
bonded.
Sanitize backup tapes before you sell them, use them as scratch
tapes, or otherwise dispose of them. (See Section 8.4.3 later in this chapter.)
Most backup
programs allow you to encrypt the data before it is written to a
backup. Encrypted backups dramatically reduce the chances that a
backup tape or CD-ROM, if stolen, will be usable by an adversary. If
you use a cryptographic backup system, it is important that you
protect your key—both so that an attacker will not learn the
key, and so that your key will not be lost in the event that you have
a change of staff.
Chapter 18 contains complete information on backups.
8.4.2.1 Verify your backups
You
should periodically verify your backups to make sure they contain
valid data. You need to verify backups that are months or years old
in addition to backups that were made yesterday or the week before.
Sometimes, backups in archives are slowly erased by
environmental conditions. Magnetic
tape is also susceptible to a process called print
through , in which the magnetic
domains on one piece of tape wound on a spool affect the next layer.
The only way to find out if this process is harming your backups is
to test them periodically. You can also minimize print through by
spinning your tapes to the end and then rewinding them, because the
tape will not align in the same way when the tape is rewound. We
recommend that at least once a year, you check a sample of your
backup tapes to make sure that they contain valid data.
8.4.2.2 Protect your backups
Many of the hazards to computers mentioned
in the first part of this chapter are equally hazardous to backups.
To maximize the chances of your data's surviving in
the event of an accident or malicious incident, keep your computer
system and your backups in different locations.
8.4.3 Sanitizing Media Before Disposal
When you discard disk drives,
CD-ROMs, or tapes, make sure that the data on the media has been
completely erased. This process is called
sanitizing.
Simply deleting a file that is on your hard disk
doesn't delete the data associated with the file.
Parts of the original data—and sometimes entire files—can
usually be easily recovered. When you are disposing of old media, be
sure to destroy the data itself, in addition to the directory
entries. One way to do this is to use the dd
command to overwrite the active drive with random data. There are
also special-purpose disk sanitation tools that can be used for
additional assurances.
Modern hard disks pose a unique problem
for media sanitizing in classified environments because of the large
amount of hidden and reserved storage. A typical 80-GB hard disk may
have several megabytes of additional storage; some of this storage is
used for media testing and bad-block remapping, but much of it is
unused during normal operations. With special software, you can
access this reserved storage area; you could even install
"hard disk viruses" that can
reprogram a hard disk controller, take over the
computer's peripheral bus, and transfer data between
two devices, or feed faulty data to the host computer. For these
reasons, hard disks that have held classified information must be
sanitized with software that is specially written for each particular
disk drive's model number and revision level.
If you are a system administrator, you have an
additional responsibility to sanitize your backup tapes before you
dispose of them. Although you may not think that any sensitive or
confidential information is stored on the tapes, your users may have
been storing such information without your knowledge.
For tapes, you can use a bulk eraser,
which is a hand-held electromagnet that has a hefty field. Experiment
with reading back the information stored on tapes that you have
"bulk erased" until you know how
much erasing is necessary to eliminate your data. You can sometimes
use these same erasers on disks, but modern disks use such high
densities of information, and require specially recorded
"timing tracks," that use of a bulk
eraser may keep you from using the disk but not really eliminate the
information on it.
|
Do not place your bulk eraser near your disks or good tapes! Also
beware of placing the eraser on the other side of a wall from your
disks or tapes. People who have pacemakers or other kinds of implants
should be warned not to approach the eraser while it is operating.
|
|
Some
software exists that overwrites optical media, thus erasing the
contents of even write-once items. However, the effectiveness of
these methods varies from media type to media type, and the
overwriting may still leave some residues. For this reason, physical
destruction is preferable.
Unfortunately, physical destruction is getting harder and harder to
do. While incinerators do a remarkably good job of destroying tapes,
stringent environmental regulations have forced many organizations to
abandon this practice. Organizations have likewise had to give up
acid baths. Until recently, crushing was preferred for hard disk
drives and disk packs. But as disk densities get higher and higher,
disk drives must be crushed into smaller and smaller pieces to
frustrate laboratory analysis of the resulting material. As a result,
physical destruction is losing popularity when compared with
software-based techniques for declassifying or sanitizing computer
media.
One common sanitizing method involves overwriting
the entire tape. If you are dealing with highly confidential or
security-related materials, you may wish to overwrite the disk or
tape several times, because data can be recovered from tapes that
have been overwritten only once. Commonly, tapes are overwritten
three times—once with blocks of 0s, then with blocks of 1s, and
then with random numbers. Finally, the tape may be degaussed—or
run through a bandsaw several times to reduce it to thousands of tiny
pieces of plastic.
We recommend that you thoroughly sanitize all media before disposal
by choosing a method that is best suited to your level of risk and
need.
8.4.4 Sanitizing Printed Media
In the previous section, we discussed the
importance of erasing magnetic media before disposing of it. However,
magnetic media is not the only material that should be carefully
"sanitized" before disposal. Other
material that may find its way into the trash may contain information
that is useful to criminals or competitors. This includes printouts
of software (including incomplete versions), memos, design documents,
preliminary code, planning documents, internal newsletters, company
phone books, manuals, and other material.
Obviously, some program printouts might be used against you,
especially if enough printouts are collected over time to derive a
complete picture of your software development and web organization.
If the code is commented well enough, it may also give away clues as
to the identity of beta testers and customers, testing strategies,
and marketing plans.
Other material may be used to derive
information about company personnel and operations. With a company
phone book, someone could masquerade as an employee over the
telephone and obtain sensitive information, including dialup numbers,
account names, and passwords. Sounds far-fetched? Think
again—there are numerous stories of such
social engineering. The more internal
information an outsider has, the more easily he can obtain sensitive
information. By knowing the names, office numbers, and extensions of
company officials and their staff, he can easily convince an
overworked and undertrained operator that he needs to violate the
written policy—or incur the wrath of the "vice
president"—on the phone.
Other information that may find its way into your dumpster includes
the types and versions of your operating systems and computers,
serial numbers, patch levels, and so on. It may include hostnames, IP
numbers, account names, and other information critical to an
attacker. We have heard of some firms disposing of listings of their
complete firewall configuration and filter rules—a gold mine
for someone seeking to infiltrate the computers.
How will this information find its way into the wrong hands? Well,
dumpster diving or
trashing
is one such way. After hours, someone intent on breaking your
security could be rummaging through your dumpster, looking for useful
information. In one case we heard recounted, a
"diver" dressed up as a street
person (letting his beard grow a bit and not bathing for a few days)
splashed a little cheap booze on himself, half-filled a mesh bag with
empty soda cans, and went to work. As he went from dumpster to
dumpster in an industrial office park, he was effectively invisible:
busy and well-paid executives seem to see through the homeless and
unfortunate. If someone began to approach him, he would pluck
invisible bugs from his shirt and talk loudly to himself. In the one
case where he was accosted by a security guard, he was able to the
convince the guard to let him continue looking for
"cans" for spare change. He even
panhandled the guard to give him $5 for a meal!
Perhaps you have your dumpster inside a guarded fence. But what
happens after it is picked up by the trash hauler? Is it dumped where
someone can go though the information off your premises?
Consider
carefully the value of the information you throw away. Consider
investing in shredders for each location where information of value
might be thrown away. Educate your users not to dispose of sensitive
material in their refuse at home, but to bring it in to the office to
be shredded. If your organization is large enough and local
ordinances allow, you may also wish to incinerate some sensitive
paper waste on-site.
Home users are also vulnerable to this kind of scavenging.
Unsanitized disposal of papers with passwords or system information,
credit card receipts and bills, and personal documents may lead to
unwanted intrusions (into privacy as well as web pages). A personal
shredder can be purchased for a small amount of money at any large
discount store or office supply outlet. This should be routinely used
on documents that may contain any sensitive information.
8.4.5 Protecting Local Storage
In addition to computers and
mass-storage systems, many other pieces of electrical data-processing
equipment store information. For example, terminals, modems, and
laser printers often contain pieces of memory that may be downloaded
and uploaded with appropriate control sequences.
Naturally, any piece of memory that is used to hold sensitive
information presents a security problem, especially if that piece of
memory is not protected with a password, encryption, or other similar
mechanism. However, the local storage in many devices presents an
additional security problem, because sensitive information is
frequently copied into such local storage without the knowledge of
the computer user.
8.4.5.1 Printer buffers
Many high-speed laser printers are programmable and contain
significant amounts of local storage. (Some laser printers have
internal hard disks that can be used to store hundreds of megabytes
of information.) Some of these printers can be programmed to store a
copy of any document printed for later use. Other printers use the
local storage as a buffer; unless the buffer is appropriately
sanitized after printing, an attacker with sufficient skill can
retrieve some or all of the contained data. The same is true of some
networked fax machines.
8.4.5.2 Printer output
One form of local storage you may not think
of is the output of your workgroup printer. If the printer is located
in a semipublic location, the output may be vulnerable to theft or
copying before it is claimed. You should ensure that printers,
plotters, and other output devices are in a secured location. Fax
machines face similar vulnerabilities.
8.4.5.3 X terminals
Many X Window terminals have substantial amounts
of local storage. Some X terminals even have hard disks that can be
accessed from over the network. Few support any cryptographic
protocols.
Here are some guidelines for using X terminals securely:
If your users work with sensitive information, they should turn off
their X terminals at the end of the day to clear the
terminals' RAM memory.
If your X terminals have hard disks, you should be sure that the
terminals are password-protected so that they cannot be easily
reprogrammed over the network. Do not allow service personnel to
remove the X terminals for repair unless the disks are first removed
and erased.
8.4.5.4 Function keys
Many smart terminals are equipped with function keys that can be
programmed to send an arbitrary sequence of keystrokes to the
computer whenever a function key is pressed. If a function key is
used to store a password, then any person who has physical access to
the terminal can impersonate the terminal's primary
user. If a terminal is stolen, then the passwords are compromised.
Therefore, we recommend that you never use function keys to store
passwords or other kinds of sensitive information (such as
cryptographic keys).
8.4.6 Unattended Terminals
Unattended terminals where users
have left themselves logged in present a special attraction for
vandals (as well as for computer crackers). A vandal can access the
person's files with impunity. Alternatively, the
vandal can use the person's account as a starting
point for launching an attack against the computer system or the
entire network: any tracing of the attack will usually point fingers
back toward the account's owner, not to the vandal.
Not only does this scenario allow someone to create a
"back door" into the account of the
user involved, and thus gain longer-term access, but an untrained
attacker could also commit some email mayhem. Imagine someone sending
email, as you, to the CEO or the Dean, making some lunatic and
obscene suggestions? Or perhaps email to
whitehouse.gov with a threat against the
President? Hence, you should never leave terminals
unattended for more than short periods of time.
Some systems have the ability to log off a user
automatically—or at least blank his screen and lock his
keyboard—when the user's terminal has been
idle for more than a few minutes.
8.4.6.1 Built-in shell autologout
If you use the C shell under Unix, you can use the
autologout
shell variable to log you out automatically after you have been idle
for a specified number of minutes. Normally, this variable is set in
your ~/.cshrc file. (Note that the autologout
variable is not available under all versions of the C shell.)
For example, if you wish to be logged out automatically after you
have been idle for 10 minutes, place this line in your
~/.cshrc file:
set autologout=10
Note that the C shell will log you out only if you idle at the C
shell's command prompt. If you are idle within an
application, such as a word processor, you will remain logged in.
ksh (the Korn
shell) and bash have a TMOUT variable that
performs a similar function. TMOUT is specified in seconds:
TMOUT=600
8.4.6.2 Screensavers
You may wish to use a
screensaver
that automatically locks your workstation after the keyboard and
mouse have been inactive for more than a predetermined number of
minutes. There are many screensavers to chose from on a variety of
platforms, including Unix, Mac OS, and Windows NT.
|
Many vendor-supplied screensavers respond
to built-in passwords in addition to the user's
passwords. The Unix lock program, for example,
once had a back door that would allow any user's
terminal to be unlocked with the password hasta
la vista—and this fact
was undocumented in the manual. Unless you have the source code for a
program, there is no way to determine whether it has a back door of
any kind. You would be better off using a vendor-supplied locking
tool than leaving your terminal unattended and unlocked while you go
for coffee. But be attentive, and beware.
|
|
8.4.7 Key Switches
Some kinds of computers have key
switches that can be used to prevent the system from being rebooted
in single-user mode. Some computers also have ROM monitors that
prevent the system from being rebooted in single-user mode without a
password. Sun's OpenBoot system and all new
Macintosh systems support use of a password to control boot
configuration access.
Key switches and ROM monitor passwords provide additional security
and should be used when possible. However, you should also remember that any
computer can be unplugged. The most important way to protect a
computer is to restrict physical access to that computer.
|